From f114ca84d5ee2931d00dcd756bcac1cdddfafcea Mon Sep 17 00:00:00 2001
From: Jean-Noel Rouvignac <jean-noel.rouvignac@forgerock.com>
Date: Thu, 15 May 2014 12:57:35 +0000
Subject: [PATCH] Code cleanup.
---
opends/src/server/org/opends/server/crypto/CryptoManagerImpl.java | 245 +++++++++++++++++++++++++++----------------------
1 files changed, 135 insertions(+), 110 deletions(-)
diff --git a/opends/src/server/org/opends/server/crypto/CryptoManagerImpl.java b/opends/src/server/org/opends/server/crypto/CryptoManagerImpl.java
index 4d87f09..0affb42 100644
--- a/opends/src/server/org/opends/server/crypto/CryptoManagerImpl.java
+++ b/opends/src/server/org/opends/server/crypto/CryptoManagerImpl.java
@@ -23,13 +23,10 @@
*
* Copyright 2006-2010 Sun Microsystems, Inc.
* Portions Copyright 2009 Parametric Technology Corporation (PTC)
- * Portions Copyright 2011 ForgeRock AS
+ * Portions Copyright 2011-2014 ForgeRock AS
*/
package org.opends.server.crypto;
-import org.opends.messages.Message;
-import static org.opends.messages.CoreMessages.*;
-
import java.io.InputStream;
import java.io.IOException;
import java.io.OutputStream;
@@ -38,54 +35,54 @@
import java.security.*;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
+import java.text.ParseException;
import java.util.*;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.zip.DataFormatException;
import java.util.zip.Deflater;
import java.util.zip.Inflater;
-import java.text.ParseException;
+
import javax.crypto.*;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import javax.net.ssl.KeyManager;
-import javax.net.ssl.TrustManager;
import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
import javax.net.ssl.X509ExtendedKeyManager;
import org.opends.admin.ads.ADSContext;
-import org.opends.server.admin.std.server.CryptoManagerCfg;
+import org.opends.messages.Message;
import org.opends.server.admin.server.ConfigurationChangeListener;
+import org.opends.server.admin.std.server.CryptoManagerCfg;
import org.opends.server.api.Backend;
import org.opends.server.backends.TrustStoreBackend;
-import org.opends.server.config.ConfigException;
import org.opends.server.config.ConfigConstants;
-import org.opends.server.core.DirectoryServer;
+import org.opends.server.config.ConfigException;
import org.opends.server.core.AddOperation;
+import org.opends.server.core.DirectoryServer;
import org.opends.server.core.ModifyOperation;
-import static org.opends.server.loggers.debug.DebugLogger.*;
import org.opends.server.loggers.debug.DebugTracer;
-import static org.opends.server.util.StaticUtils.*;
-import org.opends.server.util.Validator;
-import org.opends.server.util.SelectableCertificateKeyManager;
-import org.opends.server.util.StaticUtils;
-import org.opends.server.util.Base64;
-import org.opends.server.util.ServerConstants;
-import static org.opends.server.util.ServerConstants.OC_TOP;
import org.opends.server.protocols.internal.InternalClientConnection;
import org.opends.server.protocols.internal.InternalSearchOperation;
import org.opends.server.protocols.ldap.ExtendedRequestProtocolOp;
-import org.opends.server.protocols.ldap.LDAPMessage;
import org.opends.server.protocols.ldap.ExtendedResponseProtocolOp;
+import org.opends.server.protocols.ldap.LDAPMessage;
import org.opends.server.protocols.ldap.LDAPResultCode;
+import org.opends.server.schema.BinarySyntax;
import org.opends.server.schema.DirectoryStringSyntax;
import org.opends.server.schema.IntegerSyntax;
-import org.opends.server.schema.BinarySyntax;
import org.opends.server.tools.LDAPConnection;
import org.opends.server.tools.LDAPConnectionOptions;
import org.opends.server.tools.LDAPReader;
import org.opends.server.tools.LDAPWriter;
import org.opends.server.types.*;
+import org.opends.server.util.*;
+
+import static org.opends.messages.CoreMessages.*;
+import static org.opends.server.loggers.debug.DebugLogger.*;
+import static org.opends.server.util.ServerConstants.*;
+import static org.opends.server.util.StaticUtils.*;
/**
This class implements the Directory Server cryptographic framework,
@@ -129,87 +126,93 @@
private static ObjectClass ocCipherKey;
private static ObjectClass ocMacKey;
- // The DN of the local truststore backend.
+ /** The DN of the local truststore backend. */
private static DN localTruststoreDN;
- // The DN of the ADS instance keys container.
+ /** The DN of the ADS instance keys container. */
private static DN instanceKeysDN;
- // The DN of the ADS secret keys container.
+ /** The DN of the ADS secret keys container. */
private static DN secretKeysDN;
- // The DN of the ADS servers container.
+ /** The DN of the ADS servers container. */
private static DN serversDN;
- // Indicates whether the schema references have been initialized.
+ /** Indicates whether the schema references have been initialized. */
private static boolean schemaInitDone = false;
- // The secure random number generator used for key generation,
- // initialization vector PRNG seed...
+ /**
+ * The secure random number generator used for key generation, initialization
+ * vector PRNG seed...
+ */
private static final SecureRandom secureRandom = new SecureRandom();
- // The random number generator used for initialization vector
- // production.
+ /** The random number generator used for initialization vector production. */
private static final Random pseudoRandom
= new Random(secureRandom.nextLong());
- // The first byte in any ciphertext produced by CryptoManager is the
- // prologue version. At present, this constant is both the version written
- // and the expected version. If a new version is introduced (e.g., to allow
- // embedding the HMAC key identifier and signature in a signed backup) the
- // prologue version will likely need to be configurable at the granularity
- // of the CryptoManager client (e.g., password encryption might use version 1,
- // while signed backups might use version 2.
+ /**
+ * The first byte in any ciphertext produced by CryptoManager is the prologue
+ * version. At present, this constant is both the version written and the
+ * expected version. If a new version is introduced (e.g., to allow embedding
+ * the HMAC key identifier and signature in a signed backup) the prologue
+ * version will likely need to be configurable at the granularity of the
+ * CryptoManager client (e.g., password encryption might use version 1, while
+ * signed backups might use version 2.
+ */
private static final int CIPHERTEXT_PROLOGUE_VERSION = 1 ;
- // The map from encryption key ID to CipherKeyEntry (cache). The
- // cache is accessed by methods that request, publish, and import
- // keys.
+ /**
+ * The map from encryption key ID to CipherKeyEntry (cache). The cache is
+ * accessed by methods that request, publish, and import keys.
+ */
private final Map<KeyEntryID, CipherKeyEntry> cipherKeyEntryCache
= new ConcurrentHashMap<KeyEntryID, CipherKeyEntry>();
- // The map from encryption key ID to MacKeyEntry (cache). The cache
- // is accessed by methods that request, publish, and import keys.
+ /**
+ * The map from encryption key ID to MacKeyEntry (cache). The cache is
+ * accessed by methods that request, publish, and import keys.
+ */
private final Map<KeyEntryID, MacKeyEntry> macKeyEntryCache
= new ConcurrentHashMap<KeyEntryID, MacKeyEntry>();
- // The preferred key wrapping transformation
+ /** The preferred key wrapping transformation. */
private String preferredKeyWrappingTransformation;
// TODO: Move the following configuration to backup or backend configuration.
// TODO: https://opends.dev.java.net/issues/show_bug.cgi?id=2472
- // The preferred message digest algorithm for the Directory Server.
+ /** The preferred message digest algorithm for the Directory Server. */
private String preferredDigestAlgorithm;
- // The preferred cipher for the Directory Server.
+ /** The preferred cipher for the Directory Server. */
private String preferredCipherTransformation;
- // The preferred key length for the preferred cipher.
+ /** The preferred key length for the preferred cipher. */
private int preferredCipherTransformationKeyLengthBits;
- // The preferred MAC algorithm for the Directory Server.
+ /** The preferred MAC algorithm for the Directory Server. */
private String preferredMACAlgorithm;
- // The preferred key length for the preferred MAC algorithm.
+ /** The preferred key length for the preferred MAC algorithm. */
private int preferredMACAlgorithmKeyLengthBits;
// TODO: Move the following configuration to replication configuration.
// TODO: https://opends.dev.java.net/issues/show_bug.cgi?id=2473
- // The name of the local certificate to use for SSL.
+ /** The name of the local certificate to use for SSL. */
private final String sslCertNickname;
- // Whether replication sessions use SSL encryption.
+ /** Whether replication sessions use SSL encryption. */
private final boolean sslEncryption;
- // The set of SSL protocols enabled or null for the default set.
+ /** The set of SSL protocols enabled or null for the default set. */
private final SortedSet<String> sslProtocols;
- // The set of SSL cipher suites enabled or null for the default set.
+ /** The set of SSL cipher suites enabled or null for the default set. */
private final SortedSet<String> sslCipherSuites;
@@ -295,9 +298,8 @@
}
- /**
- * {@inheritDoc}
- */
+ /** {@inheritDoc} */
+ @Override
public boolean isConfigurationChangeAcceptable(
CryptoManagerCfg cfg,
List<Message> unacceptableReasons)
@@ -434,23 +436,18 @@
}
- /**
- * {@inheritDoc}
- */
- public ConfigChangeResult applyConfigurationChange(
- CryptoManagerCfg cfg)
+ /** {@inheritDoc} */
+ @Override
+ public ConfigChangeResult applyConfigurationChange(CryptoManagerCfg cfg)
{
- ResultCode resultCode = ResultCode.SUCCESS;
- boolean adminActionRequired = false;
- List<Message> messages = new ArrayList<Message>();
-
preferredDigestAlgorithm = cfg.getDigestAlgorithm();
preferredMACAlgorithm = cfg.getMacAlgorithm();
preferredMACAlgorithmKeyLengthBits = cfg.getMacKeyLength();
preferredCipherTransformation = cfg.getCipherTransformation();
preferredCipherTransformationKeyLengthBits = cfg.getCipherKeyLength();
preferredKeyWrappingTransformation = cfg.getKeyWrappingTransformation();
- return new ConfigChangeResult(resultCode, adminActionRequired, messages);
+ return new ConfigChangeResult(ResultCode.SUCCESS, false,
+ new ArrayList<Message>());
}
@@ -506,9 +503,7 @@
RDN.create(attrKeyID, distinguishedValue));
// Construct the search filter.
final String FILTER_OC_INSTANCE_KEY =
- new StringBuilder("(objectclass=")
- .append(ocInstanceKey.getNameOrOID())
- .append(")").toString();
+ "(objectclass=" + ocInstanceKey.getNameOrOID() + ")";
// Construct the attribute list.
final LinkedHashSet<String> requestedAttributes
= new LinkedHashSet<String>();
@@ -581,7 +576,7 @@
ERR_CRYPTOMGR_FAILED_INSTANCE_CERTIFICATE_NULL.get(entryDN.toString());
throw new CryptoManagerException(msg);
}
- return(certificate);
+ return certificate;
}
@@ -656,9 +651,7 @@
RDN.create(attrKeyID, distinguishedValue));
// Construct the search filter.
final String FILTER_OC_INSTANCE_KEY =
- new StringBuilder("(objectclass=")
- .append(ocInstanceKey.getNameOrOID())
- .append(")").toString();
+ "(objectclass=" + ocInstanceKey.getNameOrOID() + ")";
// Construct the attribute list.
final LinkedHashSet<String> requestedAttributes
= new LinkedHashSet<String>();
@@ -736,17 +729,12 @@
= new HashMap<String, byte[]>();
try {
// Construct the search filter.
- final String FILTER_OC_INSTANCE_KEY
- = new StringBuilder("(objectclass=")
- .append(ocInstanceKey.getNameOrOID())
- .append(")").toString();
- final String FILTER_NOT_COMPROMISED = new StringBuilder("(!(")
- .append(attrCompromisedTime.getNameOrOID())
- .append("=*))").toString();
- final String searchFilter = new StringBuilder("(&")
- .append(FILTER_OC_INSTANCE_KEY)
- .append(FILTER_NOT_COMPROMISED)
- .append(")").toString();
+ final String FILTER_OC_INSTANCE_KEY =
+ "(objectclass=" + ocInstanceKey.getNameOrOID() + ")";
+ final String FILTER_NOT_COMPROMISED =
+ "(!(" + attrCompromisedTime.getNameOrOID() + "=*))";
+ final String searchFilter =
+ "(&" + FILTER_OC_INSTANCE_KEY + FILTER_NOT_COMPROMISED + ")";
// Construct the attribute list.
final LinkedHashSet<String> requestedAttributes
= new LinkedHashSet<String>();
@@ -784,7 +772,7 @@
instanceKeysDN.toString(),
getExceptionMessage(ex)), ex);
}
- return(certificateMap);
+ return certificateMap;
}
@@ -1061,7 +1049,9 @@
serversDN, SearchScope.SUBORDINATE_SUBTREE,
SearchFilter.createFilterFromString(filter));
if (internalSearch.getResultCode() != ResultCode.SUCCESS)
+ {
continue;
+ }
LinkedList<SearchResultEntry> resultEntries =
internalSearch.getSearchEntries();
@@ -1080,10 +1070,10 @@
AtomicInteger nextMessageID = new AtomicInteger(1);
LDAPConnectionOptions connectionOptions =
new LDAPConnectionOptions();
- PrintStream nullPrintStream =
- new PrintStream(new OutputStream() {
- public void write ( int b ) { }
- });
+ PrintStream nullPrintStream = new PrintStream(new OutputStream() {
+ @Override
+ public void write(int b) {}
+ });
LDAPConnection connection =
new LDAPConnection(hostname, ldapPort,
connectionOptions,
@@ -1159,9 +1149,11 @@
void importCipherKeyEntry(Entry entry)
throws CryptoManagerException
{
- // Ignore the entry if it does not have the appropriate
- // objectclass.
- if (!entry.hasObjectClass(ocCipherKey)) return;
+ // Ignore the entry if it does not have the appropriate objectclass.
+ if (!entry.hasObjectClass(ocCipherKey))
+ {
+ return;
+ }
try
{
@@ -1194,7 +1186,10 @@
for (String symmetricKey : symmetricKeys)
{
secretKey = decodeSymmetricKeyAttribute(symmetricKey);
- if (secretKey != null) break;
+ if (secretKey != null)
+ {
+ break;
+ }
}
if (null != secretKey) {
@@ -1263,9 +1258,11 @@
void importMacKeyEntry(Entry entry)
throws CryptoManagerException
{
- // Ignore the entry if it does not have the appropriate
- // objectclass.
- if (!entry.hasObjectClass(ocMacKey)) return;
+ // Ignore the entry if it does not have the appropriate objectclass.
+ if (!entry.hasObjectClass(ocMacKey))
+ {
+ return;
+ }
try
{
@@ -1295,7 +1292,10 @@
for (String symmetricKey : symmetricKeys)
{
secretKey = decodeSymmetricKeyAttribute(symmetricKey);
- if (secretKey != null) break;
+ if (secretKey != null)
+ {
+ break;
+ }
}
if (secretKey == null)
@@ -1475,6 +1475,7 @@
* @return {@code true} if the objects are the same, {@code false}
* otherwise.
*/
+ @Override
public boolean equals(final Object obj){
return obj instanceof KeyEntryID
&& fValue.equals(((KeyEntryID) obj).fValue);
@@ -1485,6 +1486,7 @@
*
* @return a hash code value for this {@code KeyEntryID}.
*/
+ @Override
public int hashCode() {
return fValue.hashCode();
}
@@ -1684,20 +1686,17 @@
final String transformation,
final int keyLengthBits)
throws CryptoManagerException {
-
- final Map<KeyEntryID, CipherKeyEntry> cache
- = (null == cryptoManager)
- ? null : cryptoManager.cipherKeyEntryCache;
+ final Map<KeyEntryID, CipherKeyEntry> cache =
+ cryptoManager != null ? cryptoManager.cipherKeyEntryCache : null;
CipherKeyEntry keyEntry = new CipherKeyEntry(transformation,
keyLengthBits);
- // Validate the key entry. Record the initialization vector length, if
- // any.
+ // Validate the key entry. Record the initialization vector length, if any
final Cipher cipher = getCipher(keyEntry, Cipher.ENCRYPT_MODE, null);
// TODO: https://opends.dev.java.net/issues/show_bug.cgi?id=2471
final byte[] iv = cipher.getIV();
- keyEntry.setIVLengthBits((null == iv) ? 0 : iv.length * Byte.SIZE);
+ keyEntry.setIVLengthBits(null == iv ? 0 : iv.length * Byte.SIZE);
if (null != cache) {
/* The key is published to ADS before making it available in the local
@@ -1986,8 +1985,8 @@
*/
private static String keyAlgorithmFromTransformation(
String transformation){
- final int separatorIndex = transformation.indexOf('/');
- return (0 < separatorIndex)
+ final int separatorIndex = transformation.indexOf('/');
+ return 0 < separatorIndex
? transformation.substring(0, separatorIndex)
: transformation;
}
@@ -2239,8 +2238,8 @@
throws CryptoManagerException {
Validator.ensureNotNull(algorithm);
- final Map<KeyEntryID, MacKeyEntry> cache = (null == cryptoManager)
- ? null : cryptoManager.macKeyEntryCache;
+ final Map<KeyEntryID, MacKeyEntry> cache =
+ cryptoManager != null ? cryptoManager.macKeyEntryCache : null;
final MacKeyEntry keyEntry = new MacKeyEntry(algorithm, keyLengthBits);
@@ -2619,6 +2618,7 @@
/** {@inheritDoc} */
+ @Override
public String getPreferredMessageDigestAlgorithm()
{
return preferredDigestAlgorithm;
@@ -2626,6 +2626,7 @@
/** {@inheritDoc} */
+ @Override
public MessageDigest getPreferredMessageDigest()
throws NoSuchAlgorithmException
{
@@ -2634,6 +2635,7 @@
/** {@inheritDoc} */
+ @Override
public MessageDigest getMessageDigest(String digestAlgorithm)
throws NoSuchAlgorithmException
{
@@ -2642,6 +2644,7 @@
/** {@inheritDoc} */
+ @Override
public byte[] digest(byte[] data)
throws NoSuchAlgorithmException
{
@@ -2651,6 +2654,7 @@
/** {@inheritDoc} */
+ @Override
public byte[] digest(String digestAlgorithm, byte[] data)
throws NoSuchAlgorithmException
{
@@ -2659,6 +2663,7 @@
/** {@inheritDoc} */
+ @Override
public byte[] digest(InputStream inputStream)
throws IOException, NoSuchAlgorithmException
{
@@ -2682,6 +2687,7 @@
/** {@inheritDoc} */
+ @Override
public byte[] digest(String digestAlgorithm,
InputStream inputStream)
throws IOException, NoSuchAlgorithmException
@@ -2705,6 +2711,7 @@
/** {@inheritDoc} */
+ @Override
public String getMacEngineKeyEntryID()
throws CryptoManagerException
{
@@ -2714,6 +2721,7 @@
/** {@inheritDoc} */
+ @Override
public String getMacEngineKeyEntryID(final String macAlgorithm,
final int keyLengthBits)
throws CryptoManagerException {
@@ -2731,16 +2739,18 @@
/** {@inheritDoc} */
+ @Override
public Mac getMacEngine(String keyEntryID)
throws CryptoManagerException
{
final MacKeyEntry keyEntry = MacKeyEntry.getKeyEntry(this,
new KeyEntryID(keyEntryID));
- return (null == keyEntry) ? null : getMacEngine(keyEntry);
+ return keyEntry != null ? getMacEngine(keyEntry) : null;
}
/** {@inheritDoc} */
+ @Override
public byte[] encrypt(byte[] data)
throws GeneralSecurityException, CryptoManagerException
{
@@ -2750,6 +2760,7 @@
/** {@inheritDoc} */
+ @Override
public byte[] encrypt(String cipherTransformation,
int keyLengthBits,
byte[] data)
@@ -2769,7 +2780,7 @@
final byte[] keyID = keyEntry.getKeyID().getByteValue();
final byte[] iv = cipher.getIV();
final int prologueLength
- = /* version */ 1 + keyID.length + ((null == iv) ? 0 : iv.length);
+ = /* version */ 1 + keyID.length + (iv != null ? iv.length : 0);
final int dataLength = cipher.getOutputSize(data.length);
final byte[] cipherText = new byte[prologueLength + dataLength];
int writeIndex = 0;
@@ -2787,6 +2798,7 @@
/** {@inheritDoc} */
+ @Override
public CipherOutputStream getCipherOutputStream(
OutputStream outputStream) throws CryptoManagerException
{
@@ -2796,6 +2808,7 @@
/** {@inheritDoc} */
+ @Override
public CipherOutputStream getCipherOutputStream(
String cipherTransformation, int keyLengthBits,
OutputStream outputStream)
@@ -2833,6 +2846,7 @@
/** {@inheritDoc} */
+ @Override
public byte[] decrypt(byte[] data)
throws GeneralSecurityException,
CryptoManagerException
@@ -2905,9 +2919,12 @@
final Cipher cipher = getCipher(keyEntry, Cipher.DECRYPT_MODE, iv);
if(data.length - readIndex > 0)
- return cipher.doFinal(data, readIndex, data.length - readIndex);
- else {
- //IBM Java 6 throws an IllegalArgumentException when there's n
+ {
+ return cipher.doFinal(data, readIndex, data.length - readIndex);
+ }
+ else
+ {
+ // IBM Java 6 throws an IllegalArgumentException when there's no
// data to process.
return cipher.doFinal();
}
@@ -2915,6 +2932,7 @@
/** {@inheritDoc} */
+ @Override
public CipherInputStream getCipherInputStream(
InputStream inputStream) throws CryptoManagerException
{
@@ -2972,6 +2990,7 @@
/** {@inheritDoc} */
+ @Override
public int compress(byte[] src, int srcOff, int srcLen,
byte[] dst, int dstOff, int dstLen)
{
@@ -2999,6 +3018,7 @@
/** {@inheritDoc} */
+ @Override
public int uncompress(byte[] src, int srcOff, int srcLen,
byte[] dst, int dstOff, int dstLen)
throws DataFormatException
@@ -3033,6 +3053,7 @@
/** {@inheritDoc} */
+ @Override
public SSLContext getSslContext(String sslCertNickname)
throws ConfigException
{
@@ -3077,24 +3098,28 @@
/** {@inheritDoc} */
+ @Override
public String getSslCertNickname()
{
return sslCertNickname;
}
/** {@inheritDoc} */
+ @Override
public boolean isSslEncryption()
{
return sslEncryption;
}
/** {@inheritDoc} */
+ @Override
public SortedSet<String> getSslProtocols()
{
return sslProtocols;
}
/** {@inheritDoc} */
+ @Override
public SortedSet<String> getSslCipherSuites()
{
return sslCipherSuites;
--
Gitblit v1.10.0